THE NIGERIAN DATA PROTECTION ACT and how to comply with it

On June 14th, 2023, President Bola Ahmed Tinubu signed into law the Nigerian Data Protection Act (DPA), creating a legal framework to handle and process the personal data of Nigerians in Nigeria. The Act consolidated the policies set out in the Nigerian Data Protection Regulation (2019), replaced the Data Protection Bureau with the Data Protection Commission which will ensure the implementation and enforcement of the rules in the Act, and created a Governing Council that will form and provide the overall policy direction for the affairs of the Commission.

The DPA has 12 parts, i.e., Part I to XII;

• Parts I to IV detail the Commission and its structure
• Parts V to VIII emphasize the Data Protection Principles and relevant implementation requirements
• Part IX mentions the registration of Data Controllers and Processors of major importance.
• Parts X to XI focus on Enforcement and Legal Proceedings
• Part XII showcases miscellaneous provisions of the Act

Jointly, these parts offer common objectives, which are;

• safeguarding the fundamental rights, freedoms, and interests of data subjects as guaranteed under the 1999 Constitution
• Regulating the processing of personal data
• Promoting data processing best practices that safeguard the security of personal data and the privacy of data subjects
• Protecting the rights of data subjects and providing means of recourse and remedies, in the event of the breach of the data subjects’ rights
• Ensuring that data controllers and processors fulfill their obligations to data subjects
• Strengthening the legal foundations of the national digital economy, and
• Guaranteeing Nigeria’s participation in regional and global economies through beneficial and trusted use of personal data.

The scope of this Act does not affect the processing of personal data by individuals exclusively for personal or household purposes, provided that such processing does not violate the data subject’s fundamental right to privacy. It only applies to Data Controllers and Processors;

• Domiciled
• Ordinarily resident
• Operating in Nigeria, or
• Where the processing of personal data occurs within Nigeria, or
• Those that are neither domiciled, resident, or operating in Nigeria but process the personal data of subjects in Nigeria.

Every organization is expected to have a data controller that processes said data both online and offline, operates on behalf of the data subjects, conducts regular audits, and implements appropriate measures to ensure the security, confidentiality, and integrity of personal data in its possession or under its control. In so doing, these organizations are guided by the principles of data processing as set out in the Act. These principles, contained in S. 24 of the Act, include;

• personal data must be processed in a fair, lawful, and transparent manner.
• Data collection must be for specific, explicit, and legitimate purposes, and not be further processed in any way that is inconsistent with the original intent.
• Personal data should be adequate, relevant, and limited to the minimum necessary for the purposes for which it was collected or processed.
• The retention period for personal data should not be longer than necessary to achieve its lawful purposes.
• Data must be accurate, complete, not misleading, and kept up to date.
• The data must be processed to ensure appropriate protection against unauthorized or unlawful processing, access, loss, destruction, damage, or data breaches.
• The data controller and processor must use appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data.
• In processing said personal data, the data controller/processor owes the data subject a duty of care and accountability for the principles contained in the Act.

Furthermore, S. 25 outlines what does and does not constitute a legal basis/justification for the processing of personal data. It supplies that data processing is legally justified where;

• The data subject has given and not withdrawn consent
• The processing is necessary —

Data processing is not legally justified where;

• They override the fundamental rights, freedoms, and interests of the data subject
• They are incompatible with other lawful bases of processing
• The data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged.

Oftentimes, the processing of data may be risky and/or volatile, but the law makes provision for this lacuna in S. 28 by providing that;

Where the processing of personal data may likely result in high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context, and purposes, a data controller shall, prior to the processing, carry out a data privacy impact assessment.

A “data privacy impact assessment” is a process designed to identify the risks and impact of the envisaged processing of personal data, and it comprises —

• A systematic description of the envisaged processing and its purpose, including the legitimate interest pursued by the data controller, data processor, or third-party
• An assessment of the necessity and proportionality of the processing to the purposes for which the personal data would be processed
• An assessment of the risks to the rights and freedoms of a data subject
• The measures envisaged to address the risks, safeguards, security measures, and mechanisms to ensure the protection of personal data, taking into account the rights and legitimate interests of a data subject and other persons concerned.

Under this Act, citizens are categorized as data subjects with the following rights;

• The right to give and withdraw consent, or object to the usage, collection, or processing of their data in any way
• The right to demand and obtain all information regarding the data collected, including a right to erase such data
• Data portability to any country outside Nigeria is limited unless there's valid legal backing, and the porting & receiving company are subject to sanctions under Nigeria's data protection laws if there's any violation.
• In cases of a breach likely to harm your freedom and rights, the companies are mandated to notify the data subjects immediately, either directly or through public media.
• The right not to be subject to a decision based solely on the automated processing of personal data, including profiling

Recently, there have been news reports notifying all entities, including businesses, educational institutions, healthcare providers, and other organizations that collect personal data of individuals, that registration is mandatory per Section 5(d) of the Nigeria Data Protection Act, 2023 even issuing guidance notices to assist data processors with the registration.

This law makes it illegal to process personal data without proper registration. Therefore, failure to comply with registration requirements constitutes an offense punishable by law with penalties such as;

• The issuance of a Compliance Order against data controllers and processors in case of non-compliance. This order includes;
• Issuance of an Enforcement Order or a sanction where the data controller and/or processor violates a law/ This order includes;
• S. 49 stipulates that failure to comply with the compliance order is an offense and is liable to payment of fines, and/or imprisonment for a term not more than one year
• S. 52 imposes an order of forfeiture against the convicted data controller, processor, or individual per the Proceeds of Crime (Recovery and Management) Act

As a data subject, if you're not satisfied with the decision of the Commission, S. 50 permits you to apply to the court for a judicial review within 30 days after the order was made, and if you suffer loss, you're entitled to damages from such data controllers in civil proceedings.

The introduction of the NDPA aligns Nigeria’s digital economy and technological advancement with global best practices, and given the changes introduced in the Act, businesses must assess their compliance status and strategies on evolving data protection policies and proactively seek professional opinion to review and assess their current data processing framework for relevance and suitability with the Act.

About Legal Bytes

We are Adune Legal’s weekly Newsletter, which simplifies the Law for Busy Executives, Entrepreneurs, and Tech Enthusiasts interested in the legal aspects of Business, Technology, and Intellectual Property.

WAIT!!!

Our subscribers have access to Live Q&A sessions every Thursday via chat on Substack. It’s an excellent opportunity for our community to interact and get answers to their legal questions. Don't miss out on this perk - subscribe today and start enjoying it!

Thanks for reading Legal Bytes

Adune Legal’s Team

P.S. Like Legal Bytes? Please forward us to a friend.

P.P.S. Was this publication forwarded to you? Sign up here & see previous publications.